3rd Party Risk Management , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security

9 Ransomware Trends: More Leaks, Higher Ransom Payments

By Nearly Every Measure, Ransomware Attacks Got Worse in 2021, Researchers Report
9 Ransomware Trends: More Leaks, Higher Ransom Payments
Source: Chainalysis

By almost every measure, ransomware continues to get worse, not least in the average ransom criminals receive when a victim chooses to pay a ransom.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

So say multiple reports comparing the 2021 volume and severity of ransomware attacks, as well as the flow of cryptocurrency from victims to attackers and from attackers to service providers, to previous years.

Any study of ransomware must carry this caveat: Not all ransomware attacks come to light publicly. Thus the true volume of attacks, number of ransom payments remitted to attackers and so on may never truly be known.

But at least some attacks do come to light publicly - for example, when victims' names get posted to a data leak site or they detail that they've fallen victim in regulatory filings. In other cases, incident response firms or governments' response teams will know of an attack, because they investigated it.

With that in mind, here are nine trends seen in 2021 by security researchers, ransomware responders and government cybersecurity officials.

1. Data Leaks Increase

CrowdStrike's comparison of data leaks by top 10 most affected sectors - 2020 (red) versus 2021 (black)

Since the now-defunct Maze group in 2019 pioneered stealing data before crypto-locking systems and threatening to dump the data to try and force nonpaying victims into giving it a ransom, other groups followed.

This tactic, known as double extortion, continues to be widely used.

Cybersecurity firm CrowdStrike reports that last year, the number of ransomware attacks that resulted in stolen data being publicly leaked increased by 82%, from 1,474 in 2020 to 2,686 in 2021.

2. More Strains of Ransomware

Source: Chainalysis

Highlighting the ongoing popularity of ransomware with criminals, more new strains of ransomware debuted last year than ever before.

"Although some adversaries and ransomware ceased operations in 2021, the overall number of operating ransomware families increased," CrowdStrike says.

Blockchain analysis firm Chainalysis says in a report that "at least 140 ransomware strains received payments from victims at any point in 2021, compared to 119 in 2020, and 79 in 2019."

3. Conti Remains Constant

Source: Chainalysis

Attack volume tied to different strains of ransomware tends to ebb and flow, although there was a notable exception in 2021. "Conti was the one strain that remained consistently active for all of 2021, and in fact saw its share of all ransomware revenue grow throughout the year," Chainalysis says. "Overall though, Conti's staying power is increasingly outside the norm."

4. Ransomware Strain Longevity Decreases

Source: Chainalysis

On average, a ransomware strain in 2021 remained active for just two months, compared with 12 months in 2019, Chainalysis reports. While that might look like good news, unfortunately, the firm says, the lack of longevity likely owes more to brand maneuvers than operators retiring.

"While at least 140 ransomware strains were active at 2021, many of those strains were in fact run by the same cybercriminal groups," Chainalysis says.

One well-known example: DarkSide, which went dark in June 2021, only to reboot as BlackMatter and then BlackCat, aka Alphv.

Likewise, the release last week from a single developer of free decryption keys for three strains of now-defunct ransomware - Maze, launched in 2019; Sekhmet, launched in March 2020; and Egregor, active from September 2020 to February 2021 - adds evidence to researchers' long-standing suspicions that the strains all traced to the same crime group.

5. Average Ransom Payments Increase

Average ransom payment, when a victim pays (Source: Chainalysis)

Based on blockchain analysis and individual payments made to ransomware groups, Chainalysis computes that the average ransom payment, when a victim chose to pay, increased from $88,000 in 2020 to more than $118,000 in 2021. The increase was bolstered by some very large individual ransom payments, it says.

6. Known Ransomware Revenues Decrease

Total known cryptocurrency value received by ransomware addresses; information current as of January 2022 and likely to change (Source: Chainalysis)

If the story of ransomware last year was one of perpetually more badness, the fact that Chainalysis says that it's traced $602 million in known ransom payments in 2021, down from $692 million in 2020, might seem to offer some respite.

Unfortunately, both figures are sure to increase as more intelligence about wallets used by criminals comes to light.

Twelve months ago, for example, Chainalysis reported that it had identified $350 million in known ransom payments in 2020. Since then, as new intelligence has come to light, that figure has nearly doubled. If that holds for initial 2021 figures, then they would exceed $1 billion.

As a side note, of the known cryptocurrency ransomware payments in 2021, about 74% of the proceeds - worth $400 million - went to individuals or organizations inside or with ties to Russia, Chainalysis says.

7. More Critical Infrastructure Organizations Fall Victim

Joint cybersecurity advisory (Source: U.S. Cybersecurity and Infrastructure Security Agency)

In a joint advisory released last week, government cybersecurity agencies in Australia, the U.K. and U.S. warned that in 2021, they "observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally."

In the U.S., at least 14 of the 16 U.S. critical infrastructure sectors - including communications, emergency water services, the energy sector, financial services and especially healthcare - were known to have been hit by ransomware.

8. Big Game Hunting Surges

Source: Joint cybersecurity advisory released on Feb. 9, 2022, by CISA and partners

Ransomware-wielding criminals in recent years increasingly targeted larger organizations. With a bit of additional effort, compared to smaller organizations, larger businesses offered the potential for much bigger ransom payments.

CrowdStrike says that in 2021, it counted 2,721 big game hunting attacks, by which it means "targeted enterprise ransomware incidents." While it didn't offer comparisons with prior years, the company says big game hunting attacks intensified last year.

But multiple high-profile hits last summer - including against Ireland's national health system and Colonial Pipeline Corp. in the U.S. - drove some big players to exit the scene. As a result, ransomware watchers have been predicting that many attackers won't set their sights so high.

By September 2021, notably, ransomware incident response firm Coveware reported that in Q3 2021, it had seen a shift toward what it calls mid-game hunting.

"This shift from 'big game hunting' to 'mid game hunting' is personified in both the ransom amount statistics but also the victim size demographics from the quarter," Coveware reported.

Likewise, the joint government cybersecurity advisory issued last week notes that after mid-2021, "the FBI observed some ransomware threat actors redirecting ransomware efforts away from 'big game' and toward mid-sized victims to reduce scrutiny."

9. Third-Party Service Providers Get More Money

Source: Chainalysis

Ransomware attackers rarely work alone. Many rely on a ransomware-as-a-service business model, in which core operators maintain code and provide it on demand to business partners, aka affiliates. Many ransomware operations and affiliates alike also work with cybercrime-as-a-service providers. From initial access brokers, for example, they can peruse a menu of organizations for which someone has already gained surreptitious access. Buying such access means that ransomware-wielding attackers can spend less time having to find victims and work out how to break into their network, and more time infecting organizations with ransomware.

Ransomware groups appear to be increasingly relying on such services. Chainalysis reports that "16% of all funds sent by ransomware operators were spent on tools and services used to enable more effective attacks, compared to 6% in 2020." It adds that "while it's possible some of that activity constitutes money laundering rather than the purchase of illicit services, we believe that increasing use of those services is one reason ransomware attackers became more effective in 2021, as evidenced by rising average victim payment sizes."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.